# Where Tempest Stores Your Credentials When Tempest needs to remember a secret across restarts — your vault unlock key, OAuth tokens, the device push token — it uses the **operating system's secure credential store**. Each platform has its own; Tempest picks the right one automatically. This page explains exactly what gets stored where and how the fallback behaves on systems without a usable keystore. (For how vault contents themselves are encrypted before sync, see [End-to-End Encryption](/account-and-privacy/end-to-end-encryption.md). This page is about local secret storage.) ## What Tempest stores locally | Item | Why it's stored | | --------------------------------------------------------------------------- | ------------------------------------------------------------------- | | **Vault unlock key** (or a wrapped form of it) | So you don't have to type your vault password on every launch | | **Sync session token** | To keep you signed in across app restarts | | **Device push token** | Long-lived per-device token used by Tempest Push (desktop) | | **OAuth2 refresh tokens** | Renew sync sessions without re-typing credentials | | **Per-host credentials** flagged as *"save in keychain"* (optional, opt-in) | So you can choose to skip vault-level encryption for low-risk hosts | Everything else (your hosts, snippets, SSH keys, certs) lives inside the encrypted vault — see [End-to-End Encryption](/account-and-privacy/end-to-end-encryption.md). ## Per-platform storage ### macOS — Keychain Tempest stores secrets in the **macOS Keychain** under the service name `app.gotempest.tempest`. Secrets are protected by your macOS login password and (where available) Touch ID / system biometrics. To inspect: open **Keychain Access.app** → search for "tempest". ### Windows — Windows Credential Manager Tempest stores secrets in **Windows Credential Manager** (the same store used by Microsoft Edge, Outlook, and most Win32 apps). Secrets are protected by your Windows account password and DPAPI. To inspect: **Control Panel → User Accounts → Credential Manager → Windows Credentials** → entries prefixed with `tempest`. ### Linux — Secret Service (libsecret) Tempest uses the **freedesktop Secret Service API** — implemented by **GNOME Keyring** (default on GNOME, Cinnamon, Unity) or **KWallet** (default on KDE Plasma). If you're running a desktop environment that ships either, you don't need to do anything. Tempest secrets show up in: * `seahorse` (GNOME Keyring viewer) * KWallet Manager #### **In-memory fallback when no keystore is available** Some Linux setups have no Secret Service: * Minimal window managers (i3, sway, dwm, awesome) installed without GNOME Keyring or KWallet * Headless servers (no DBus session) * Some restricted enterprise installs In these cases, Tempest **falls back to an in-memory secret store**. This means: * **You'll be prompted to enter your vault password every time Tempest starts.** * Sync session tokens are lost on restart, so you'll re-sign-in to your account too. * OAuth2 refresh tokens aren't persisted — same caveat. This is intentional — writing secrets to a plaintext file on disk would be a worse outcome. To enable persistent secret storage, install a Secret Service implementation: ```bash # Most desktop distros sudo apt install gnome-keyring # or libsecret-tools # Or for KDE sudo apt install kwalletmanager ``` After install, restart Tempest. It'll detect the new keystore and start using it for the next session's secrets. ### Web Mode (browser) When Tempest runs in [Web Mode](/deployment/self-hosted-tempest-server.md), there's no OS keystore the browser can write to. Instead: * Vault unlock key lives in **session storage** — cleared when you close the tab. * Sync session token lives in a **secure HTTP-only cookie** scoped to your Tempest server. You'll need to re-enter your vault password each time you open Tempest in a new browser session. This is by design — browsers are too varied an environment to guarantee a secure persistent secret store. ### iOS / Android Mobile platforms have first-class secure storage: * **iOS** — **Keychain Services**, hardware-backed by the Secure Enclave when available. * **Android** — **Android Keystore**, hardware-backed by StrongBox / TEE on supported devices. Both are Tempest's default; no fallback is needed. ## How to wipe stored credentials If you want to remove all Tempest secrets from the OS keystore: | Platform | Action | | ------------- | --------------------------------------------------------------------- | | macOS | Keychain Access → search `tempest` → delete entries | | Windows | Credential Manager → Windows Credentials → delete `tempest:*` entries | | Linux (GNOME) | `seahorse` → Login keyring → delete `tempest:*` entries | | Linux (KDE) | KWallet Manager → kdewallet → delete `tempest:*` entries | | iOS / Android | Uninstall the app — secrets are scoped to the app's keychain entry | After wiping, your next Tempest launch starts cold: you'll re-enter your vault password and sign in to sync again. ## Security notes * Tempest never writes secrets to plaintext files or to its own SQLite database. Secrets are *always* either in the OS keystore or in process memory. * On macOS / Windows / iOS / Android, the keystore is hardware-protected (Secure Enclave / TPM / StrongBox where available). * On Linux, security depends on your Secret Service implementation. GNOME Keyring and KWallet both encrypt secrets at rest under your login password. * The in-memory fallback (Linux without keystore) is *less convenient* but *not less secure* — it just means you re-authenticate on every launch. ## See also * [End-to-End Encryption](/account-and-privacy/end-to-end-encryption.md) — how the vault contents themselves are encrypted before sync * [How Tempest Protects Your Privacy](/account-and-privacy/how-tempest-protect-your-privacy.md) — the high-level security overview * [Reset Your Tempest Password](/account-and-privacy/resetting-password.md) — sync vs. vault password explained --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/account-and-privacy/where-tempest-stores-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.